* help me
@ 2005-07-04 10:39 umar draz
2005-07-04 10:47 ` Christoph Georgi
0 siblings, 1 reply; 8+ messages in thread
From: umar draz @ 2005-07-04 10:39 UTC (permalink / raw)
To: Mr NetFilter
hi dear members!
i have one interface card in my linux machine <eth0>
now i attache DSL modem with this interface now i
want block all incoming traffic.
but i want i can access every thing.
how i can do it
regards
Umar Draz
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: help me
2005-07-04 10:39 help me umar draz
@ 2005-07-04 10:47 ` Christoph Georgi
2005-07-04 13:45 ` /dev/rob0
0 siblings, 1 reply; 8+ messages in thread
From: Christoph Georgi @ 2005-07-04 10:47 UTC (permalink / raw)
To: umar draz; +Cc: Mr NetFilter
make the default policy of the incoming chain (input) drop, but allow
established and related traffic, and allow all outgoing traffic by
setting the default policy to allow for the output chain (although it's
adviced to specify the outgoing traffic further..)
# drops all traffic
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
# allow established an related incoming traffic
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
christoph
umar draz wrote:
> hi dear members!
>
> i have one interface card in my linux machine <eth0>
>
> now i attache DSL modem with this interface now i
> want block all incoming traffic.
>
> but i want i can access every thing.
>
> how i can do it
>
> regards
>
> Umar Draz
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>
--
Christoph Georgi
-----------------------------
email. christoph.georgi@web.de
fon. +64 (0)9 815 8259
registered linux user #380268
ubuntu 5.04 (ubuntu.com)
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: help me
2005-07-04 10:47 ` Christoph Georgi
@ 2005-07-04 13:45 ` /dev/rob0
0 siblings, 0 replies; 8+ messages in thread
From: /dev/rob0 @ 2005-07-04 13:45 UTC (permalink / raw)
To: netfilter
On Monday 04 July 2005 05:47, Christoph Georgi wrote:
> make the default policy of the incoming chain (input) drop, but allow
> established and related traffic, and allow all outgoing traffic by
> setting the default policy to allow for the output chain (although
> it's adviced to specify the outgoing traffic further..)
Why, and by whom, is that advised?
> umar draz wrote:
> > [snip]
> > how i can do it
All this is clearly described in the Packet Filtering HOWTO. Or you can
use one of many ready-made scripts without bothering to learn how
firewalls work.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
^ permalink raw reply [flat|nested] 8+ messages in thread
* help me
@ 2006-03-29 0:19 bash
2006-03-29 1:50 ` John A. Sullivan III
0 siblings, 1 reply; 8+ messages in thread
From: bash @ 2006-03-29 0:19 UTC (permalink / raw)
To: netfilter
Hello All,
I wanna dynamically block some ip's that load my router with --state NEW
packets (usually it's generated by very aggressive NetLook win
program). But there is a problem -m limit will block all my router's
user, and I wanna block just one ip :/
--
Biomechanica Artificial Sabotage Humanoid
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: help me
2006-03-29 0:19 bash
@ 2006-03-29 1:50 ` John A. Sullivan III
2006-03-29 3:29 ` bash
0 siblings, 1 reply; 8+ messages in thread
From: John A. Sullivan III @ 2006-03-29 1:50 UTC (permalink / raw)
To: bash; +Cc: netfilter
On Wed, 2006-03-29 at 04:19 +0400, bash wrote:
> Hello All,
>
> I wanna dynamically block some ip's that load my router with --state NEW
> packets (usually it's generated by very aggressive NetLook win
> program). But there is a problem -m limit will block all my router's
> user, and I wanna block just one ip :/
I'm not entirely sure of what you want to do. Why can you not match
source? If you want, match the one IP and send all traffic for that IP
to a user defined chain, e.g., :
iptables -A FORWARD -s 10.1.1.100 -j SpecialChain
iptables -A SpecialChain -j DOWHATEVERYOUWANT
If it is that you want to exempt certain addresses, send all the packets
to a user defined chain and return the exemptions, e.g.,
iptables -A FORWARD -j LimitChain
iptables -A LimitChain -m iprange --src-range 10.1.1.70-10.1.1.223 -j
RETURN
iptables -A LimitChain -j LOG, DROP, LIMIT, WHATEVERYOUWANTTODO
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: help me
2006-03-29 1:50 ` John A. Sullivan III
@ 2006-03-29 3:29 ` bash
0 siblings, 0 replies; 8+ messages in thread
From: bash @ 2006-03-29 3:29 UTC (permalink / raw)
To: John A. Sullivan III; +Cc: netfilter
On Tue, 28 Mar 2006 20:50:51 -0500
"John A. Sullivan III" <jsullivan@opensourcedevel.com> wrote:
> On Wed, 2006-03-29 at 04:19 +0400, bash wrote:
> > Hello All,
> >
> > I wanna dynamically block some ip's that load my router with --state NEW
> > packets (usually it's generated by very aggressive NetLook win
> > program). But there is a problem -m limit will block all my router's
> > user, and I wanna block just one ip :/
> I'm not entirely sure of what you want to do. Why can you not match
> source? If you want, match the one IP and send all traffic for that IP
> to a user defined chain, e.g., :
> iptables -A FORWARD -s 10.1.1.100 -j SpecialChain
> iptables -A SpecialChain -j DOWHATEVERYOUWANT
>
> If it is that you want to exempt certain addresses, send all the packets
> to a user defined chain and return the exemptions, e.g.,
>
> iptables -A FORWARD -j LimitChain
> iptables -A LimitChain -m iprange --src-range 10.1.1.70-10.1.1.223 -j
> RETURN
> iptables -A LimitChain -j LOG, DROP, LIMIT, WHATEVERYOUWANTTODO
The problem is that I don't know IP of this machine.... And anyone in
my net can run NetLook program... So i want that - if some-one in my net
exceed limit then iptables will block this ip dynamically....
--
Biomechanica Artificial Sabotage Humanoid
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: Help Me
@ 2003-06-10 22:20 George Vieira
0 siblings, 0 replies; 8+ messages in thread
From: George Vieira @ 2003-06-10 22:20 UTC (permalink / raw)
To: Pham Dinh Hieu, netfilter
[-- Attachment #1: Type: text/plain, Size: 3346 bytes --]
My advice:
1. Download a new kernel source (don't use RedHat's source)
2. Place it in /usr/src/linux-2.4.xx and then use ln -s /usr/src/linux.2.4.xx /usr/src/linux
3. Compile iptables against the new kernel (make clean && make)
It's easier when you have fresh source code and easier when it's time to patch other stuff in..
Thanks,
____________________________________________
George Vieira
Citadel Computer Systems Pty Ltd Systems Manager georgev AT citadelcomputer DOT com DOT au
Citadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698 <http://www.citadelcomputer.com.au/> http://www.citadelcomputer.com.au
-----Original Message-----
From: Pham Dinh Hieu [mailto:pdhieu@saigontel.com]
Sent: Tuesday, June 10, 2003 4:31 PM
To: netfilter@lists.samba.org
Subject: Help Me
Dear All,
I want to install iptables-1.2.7a but I have a trouble as compile it.
The system displays the following message
[ root@fw iptables-1.2.7a]# make KERNEL_DIR=/home/test/linux-2.4.17
Making dependencies: please wait...
Extensions found:
cc -O2 -Wall -Wunused -I/home/user/linux-2.4.17/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.7a\" -fPIC -o\
extensions/libipt_ah_sh.o -c extensions/libipt_ah.c
ld -shared -o extensions/libipt_ah.so extensions/libipt_ah_sh.o
cc -O2 -Wall -Wunused -I/home/user/linux-2.4.17/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.7a\" -fPIC -o\
extensions/libipt_conntrack_sh.o -c extensions/libipt_conntrack.c
In file included from extensions/libipt_conntrack.c:15:
include/linux/netfilter_ipv4/ipt_conntrack.h:28: `IP_CT_DIR_MAX' undeclared here (not in a function)
include/linux/netfilter_ipv4/ipt_conntrack.h:29: `IP_CT_DIR_MAX' undeclared here (not in a function)
include/linux/netfilter_ipv4/ipt_conntrack.h:29: `IP_CT_DIR_MAX' undeclared here (not in a function)
extensions/libipt_conntrack.c: In function `parse_status':
extensions/libipt_conntrack.c:103: `IPS_EXPECTED' undeclared (first use in this function)
extensions/libipt_conntrack.c:103: (Each undeclared identifier is reported only once
extensions/libipt_conntrack.c:103: for each function it appears in.)
extensions/libipt_conntrack.c:105: `IPS_SEEN_REPLY' undeclared (first use in this function)
extensions/libipt_conntrack.c:107: `IPS_ASSURED' undeclared (first use in this function)
extensions/libipt_conntrack.c: In function `parse':
extensions/libipt_conntrack.c:202: `IP_CT_DIR_ORIGINAL' undeclared (first use in this function)
extensions/libipt_conntrack.c:259: `IP_CT_DIR_REPLY' undeclared (first use in this function)
extensions/libipt_conntrack.c: In function `print_status':
extensions/libipt_conntrack.c:364: `IPS_EXPECTED' undeclared (first use in this function)
extensions/libipt_conntrack.c:368: `IPS_SEEN_REPLY' undeclared (first use in this function)
extensions/libipt_conntrack.c:372: `IPS_ASSURED' undeclared (first use in this function)
extensions/libipt_conntrack.c: In function `matchinfo_print':
extensions/libipt_conntrack.c:420: `IP_CT_DIR_ORIGINAL' undeclared (first use in this function)
extensions/libipt_conntrack.c:440: `IP_CT_DIR_REPLY' undeclared (first use in this function)
make: *** [extensions/libipt_conntrack_sh.o] Error 1
Please help me to install iptables on Redhat Linux 7.3 or 8.0
Thanks.
Best Regards
DunHill
[-- Attachment #2: Type: text/html, Size: 7421 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Help Me
@ 2003-06-10 6:31 Pham Dinh Hieu
0 siblings, 0 replies; 8+ messages in thread
From: Pham Dinh Hieu @ 2003-06-10 6:31 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 2498 bytes --]
Dear All,
I want to install iptables-1.2.7a but I have a trouble as compile it.
The system displays the following message
[root@fw iptables-1.2.7a]# make KERNEL_DIR=/home/test/linux-2.4.17
Making dependencies: please wait...
Extensions found:
cc -O2 -Wall -Wunused -I/home/user/linux-2.4.17/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.7a\" -fPIC -o\
extensions/libipt_ah_sh.o -c extensions/libipt_ah.c
ld -shared -o extensions/libipt_ah.so extensions/libipt_ah_sh.o
cc -O2 -Wall -Wunused -I/home/user/linux-2.4.17/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.7a\" -fPIC -o\
extensions/libipt_conntrack_sh.o -c extensions/libipt_conntrack.c
In file included from extensions/libipt_conntrack.c:15:
include/linux/netfilter_ipv4/ipt_conntrack.h:28: `IP_CT_DIR_MAX' undeclared here (not in a function)
include/linux/netfilter_ipv4/ipt_conntrack.h:29: `IP_CT_DIR_MAX' undeclared here (not in a function)
include/linux/netfilter_ipv4/ipt_conntrack.h:29: `IP_CT_DIR_MAX' undeclared here (not in a function)
extensions/libipt_conntrack.c: In function `parse_status':
extensions/libipt_conntrack.c:103: `IPS_EXPECTED' undeclared (first use in this function)
extensions/libipt_conntrack.c:103: (Each undeclared identifier is reported only once
extensions/libipt_conntrack.c:103: for each function it appears in.)
extensions/libipt_conntrack.c:105: `IPS_SEEN_REPLY' undeclared (first use in this function)
extensions/libipt_conntrack.c:107: `IPS_ASSURED' undeclared (first use in this function)
extensions/libipt_conntrack.c: In function `parse':
extensions/libipt_conntrack.c:202: `IP_CT_DIR_ORIGINAL' undeclared (first use in this function)
extensions/libipt_conntrack.c:259: `IP_CT_DIR_REPLY' undeclared (first use in this function)
extensions/libipt_conntrack.c: In function `print_status':
extensions/libipt_conntrack.c:364: `IPS_EXPECTED' undeclared (first use in this function)
extensions/libipt_conntrack.c:368: `IPS_SEEN_REPLY' undeclared (first use in this function)
extensions/libipt_conntrack.c:372: `IPS_ASSURED' undeclared (first use in this function)
extensions/libipt_conntrack.c: In function `matchinfo_print':
extensions/libipt_conntrack.c:420: `IP_CT_DIR_ORIGINAL' undeclared (first use in this function)
extensions/libipt_conntrack.c:440: `IP_CT_DIR_REPLY' undeclared (first use in this function)
make: *** [extensions/libipt_conntrack_sh.o] Error 1
Please help me to install iptables on Redhat Linux 7.3 or 8.0
Thanks.
Best Regards
DunHill
[-- Attachment #2: Type: text/html, Size: 3377 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2006-03-29 3:29 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-07-04 10:39 help me umar draz
2005-07-04 10:47 ` Christoph Georgi
2005-07-04 13:45 ` /dev/rob0
-- strict thread matches above, loose matches on Subject: below --
2006-03-29 0:19 bash
2006-03-29 1:50 ` John A. Sullivan III
2006-03-29 3:29 ` bash
2003-06-10 22:20 Help Me George Vieira
2003-06-10 6:31 Pham Dinh Hieu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox